From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Michael S. Tsirkin" <mst@redhat.com>,
Alex Williamson <alex.williamson@redhat.com>
Subject: [PATCH 4.4 16/74] vfio: fix ioctl error handling
Date: Mon, 7 Mar 2016 16:02:41 -0800 [thread overview]
Message-ID: <20160308000315.817908842@linuxfoundation.org> (raw)
In-Reply-To: <20160308000315.294406921@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael S. Tsirkin <mst@redhat.com>
commit 8160c4e455820d5008a1116d2dca35f0363bb062 upstream.
Calling return copy_to_user(...) in an ioctl will not
do the right thing if there's a pagefault:
copy_to_user returns the number of bytes not copied
in this case.
Fix up vfio to do
return copy_to_user(...)) ?
-EFAULT : 0;
everywhere.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/pci/vfio_pci.c | 9 ++++++---
drivers/vfio/platform/vfio_platform_common.c | 9 ++++++---
drivers/vfio/vfio_iommu_type1.c | 6 ++++--
3 files changed, 16 insertions(+), 8 deletions(-)
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -446,7 +446,8 @@ static long vfio_pci_ioctl(void *device_
info.num_regions = VFIO_PCI_NUM_REGIONS;
info.num_irqs = VFIO_PCI_NUM_IRQS;
- return copy_to_user((void __user *)arg, &info, minsz);
+ return copy_to_user((void __user *)arg, &info, minsz) ?
+ -EFAULT : 0;
} else if (cmd == VFIO_DEVICE_GET_REGION_INFO) {
struct pci_dev *pdev = vdev->pdev;
@@ -520,7 +521,8 @@ static long vfio_pci_ioctl(void *device_
return -EINVAL;
}
- return copy_to_user((void __user *)arg, &info, minsz);
+ return copy_to_user((void __user *)arg, &info, minsz) ?
+ -EFAULT : 0;
} else if (cmd == VFIO_DEVICE_GET_IRQ_INFO) {
struct vfio_irq_info info;
@@ -555,7 +557,8 @@ static long vfio_pci_ioctl(void *device_
else
info.flags |= VFIO_IRQ_INFO_NORESIZE;
- return copy_to_user((void __user *)arg, &info, minsz);
+ return copy_to_user((void __user *)arg, &info, minsz) ?
+ -EFAULT : 0;
} else if (cmd == VFIO_DEVICE_SET_IRQS) {
struct vfio_irq_set hdr;
--- a/drivers/vfio/platform/vfio_platform_common.c
+++ b/drivers/vfio/platform/vfio_platform_common.c
@@ -219,7 +219,8 @@ static long vfio_platform_ioctl(void *de
info.num_regions = vdev->num_regions;
info.num_irqs = vdev->num_irqs;
- return copy_to_user((void __user *)arg, &info, minsz);
+ return copy_to_user((void __user *)arg, &info, minsz) ?
+ -EFAULT : 0;
} else if (cmd == VFIO_DEVICE_GET_REGION_INFO) {
struct vfio_region_info info;
@@ -240,7 +241,8 @@ static long vfio_platform_ioctl(void *de
info.size = vdev->regions[info.index].size;
info.flags = vdev->regions[info.index].flags;
- return copy_to_user((void __user *)arg, &info, minsz);
+ return copy_to_user((void __user *)arg, &info, minsz) ?
+ -EFAULT : 0;
} else if (cmd == VFIO_DEVICE_GET_IRQ_INFO) {
struct vfio_irq_info info;
@@ -259,7 +261,8 @@ static long vfio_platform_ioctl(void *de
info.flags = vdev->irqs[info.index].flags;
info.count = vdev->irqs[info.index].count;
- return copy_to_user((void __user *)arg, &info, minsz);
+ return copy_to_user((void __user *)arg, &info, minsz) ?
+ -EFAULT : 0;
} else if (cmd == VFIO_DEVICE_SET_IRQS) {
struct vfio_irq_set hdr;
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -999,7 +999,8 @@ static long vfio_iommu_type1_ioctl(void
info.iova_pgsizes = vfio_pgsize_bitmap(iommu);
- return copy_to_user((void __user *)arg, &info, minsz);
+ return copy_to_user((void __user *)arg, &info, minsz) ?
+ -EFAULT : 0;
} else if (cmd == VFIO_IOMMU_MAP_DMA) {
struct vfio_iommu_type1_dma_map map;
@@ -1032,7 +1033,8 @@ static long vfio_iommu_type1_ioctl(void
if (ret)
return ret;
- return copy_to_user((void __user *)arg, &unmap, minsz);
+ return copy_to_user((void __user *)arg, &unmap, minsz) ?
+ -EFAULT : 0;
}
return -ENOTTY;
next prev parent reply other threads:[~2016-03-08 0:02 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-08 0:02 [PATCH 4.4 00/74] 4.4.5-stable review Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 01/74] use ->d_seq to get coherency between ->d_inode and ->d_flags Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 02/74] drivers: sh: Restore legacy clock domain on SuperH platforms Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 03/74] Btrfs: fix deadlock running delayed iputs at transaction commit time Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 04/74] btrfs: Fix no_space in write and rm loop Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 05/74] btrfs: async-thread: Fix a use-after-free error for trace Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 07/74] block: Initialize max_dev_sectors to 0 Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 08/74] PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 09/74] parisc: Fix ptrace syscall number and return value modification Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 10/74] mips/kvm: fix ioctl error handling Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 11/74] kvm: x86: Update tsc multiplier on change Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 12/74] fbcon: set a default value to blink interval Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 13/74] cifs: fix out-of-bounds access in lease parsing Greg Kroah-Hartman
2016-03-09 3:47 ` Ben Hutchings
2016-03-09 4:23 ` Steve French
2016-03-09 16:17 ` Ben Hutchings
2016-03-08 0:02 ` [PATCH 4.4 14/74] CIFS: Fix SMB2+ interim response processing for read requests Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 15/74] Fix cifs_uniqueid_to_ino_t() function for s390x Greg Kroah-Hartman
2016-03-08 0:02 ` Greg Kroah-Hartman [this message]
2016-03-08 0:02 ` [PATCH 4.4 17/74] KVM: x86: fix root cause for missed hardware breakpoints Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 18/74] arm/arm64: KVM: Fix ioctl error handling Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 19/74] iommu/amd: Apply workaround for ATS write permission check Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 20/74] iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 21/74] iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 22/74] target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 23/74] drm/ast: Fix incorrect register check for DRAM width Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 28/74] drm/amdgpu: return from atombios_dp_get_dpcd only when error Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 29/74] libata: fix HDIO_GET_32BIT ioctl Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 30/74] libata: Align ata_devices id on a cacheline Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 31/74] block: bio: introduce helpers to get the 1st and last bvec Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 32/74] writeback: flush inode cgroup wb switches instead of pinning super_block Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 33/74] Adding Intel Lewisburg device IDs for SATA Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 34/74] arm64: vmemmap: use virtual projection of linear region Greg Kroah-Hartman
2016-03-08 10:40 ` Ard Biesheuvel
2016-03-08 13:44 ` Greg Kroah-Hartman
2016-03-08 13:45 ` Ard Biesheuvel
2016-03-12 1:51 ` Ard Biesheuvel
2016-03-12 5:50 ` Greg Kroah-Hartman
2016-03-12 5:55 ` Ard Biesheuvel
2016-03-12 6:05 ` Greg Kroah-Hartman
2016-03-12 8:14 ` Ard Biesheuvel
2016-03-08 0:03 ` [PATCH 4.4 35/74] PM / sleep / x86: Fix crash on graph trace through x86 suspend Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 36/74] ata: ahci: dont mark HotPlugCapable Ports as external/removable Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 37/74] tracing: Do not have comm filter override event comm field Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 38/74] pata-rb532-cf: get rid of the irq_to_gpio() call Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 39/74] Btrfs: fix loading of orphan roots leading to BUG_ON Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 40/74] Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 43/74] dmaengine: pxa_dma: fix cyclic transfers Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 44/74] [media] adv7604: fix tx 5v detect regression Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 45/74] ALSA: usb-audio: Add a quirk for Plantronics DA45 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 46/74] ALSA: ctl: Fix ioctls for X32 ABI Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 47/74] ALSA: hda - Fix mic issues on Acer Aspire E1-472 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 48/74] ALSA: rawmidi: Fix ioctls X32 ABI Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 49/74] ALSA: timer: Fix ioctls for " Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 50/74] ALSA: pcm: " Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 51/74] ALSA: seq: oss: Dont drain at closing a client Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 52/74] ALSA: hdspm: Fix wrong boolean ctl value accesses Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 53/74] ALSA: hdsp: " Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 54/74] ALSA: hdspm: Fix zero-division Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 55/74] ALSA: timer: Fix broken compat timer user status ioctl Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 56/74] usb: chipidea: otg: change workqueue ci_otg as freezable Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 57/74] USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 60/74] USB: serial: option: add support for Telit LE922 PID 0x1045 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 61/74] USB: serial: option: add support for Quectel UC20 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 62/74] MIPS: scache: Fix scache init with invalid line size Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 63/74] MIPS: traps: Fix SIGFPE information leak from `do_ov and `do_trap_or_bp Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 64/74] cxl: Fix PSL timebase synchronization detection Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 65/74] ubi: Fix out of bounds write in volume update code Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 66/74] i2c: brcmstb: allocate correct amount of memory for regmap Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 67/74] thermal: cpu_cooling: fix out of bounds access in time_in_idle Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 69/74] block: check virt boundary in bio_will_gap() Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 70/74] block: get the 1st and last bvec via helpers Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 71/74] drm/i915: more virtual south bridge detection Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 73/74] modules: fix longstanding /proc/kallsyms vs module insertion race Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 74/74] drm/amdgpu: fix topaz/tonga gmc assignment in 4.4 stable Greg Kroah-Hartman
2016-03-08 11:45 ` [PATCH 4.4 00/74] 4.4.5-stable review Guenter Roeck
2016-03-08 14:19 ` Greg Kroah-Hartman
[not found] ` <56dea53c.a3f6c20a.71577.ffff9660@mx.google.com>
2016-03-08 14:34 ` Greg Kroah-Hartman
2016-03-09 5:32 ` Kevin Hilman
2016-03-08 16:24 ` Shuah Khan
2016-03-09 2:07 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160308000315.817908842@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alex.williamson@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).